Dailydave mailing list archives
Re: Some Propaganda.
From: Piotr Bania <bania.piotr () gmail com>
Date: Wed, 15 Nov 2006 17:53:20 +0100
All in all, it looks pretty impressive :-)
It requested a lot of time, it should look so :)
A few things I am wondering about: If one regards instruction n-grams, e.g. sequences of n instructions, do they still statistically match what a regular compiler would generate ?
The metamorphic engine is not 100% finished yet , so i will try to answer this question when the release time will come (i hope i will not forget though, if so pls just remind me).
Secondly, if one was capable of "measuring" the effectivity of the optimizer, would one not see a difference at the point were code is inserted ?
If we speak about the integration engine, well first of all if you dont have the prototype file - i doubt you can find the injection (without spending some cool time with your ida and debugger). Secondly, the user decides where the injection should be done (for example he can use one of the HotRegions listed in the window i showed you before, HotRegions shows the locations that are most probable to get executed, but from the other hand he can use his imagination and use some other place). Also, currently the integration engine is 100% ready so it is a fact, that it is able to make some cool things to keep the injection undetected. For example if user produces a malware code which relies on the orginal program API functions, the engine can write the correct offsets and update his code, moreover it can also add his "instructions" to the reloc sections - so the thing works even if the code is relocated ie. drivers. All depends on the plugins, you can do everything, you have your PE file in pieces you just move the chains and it walks. But when the user is dumb (i belive such guys will not get my software) and he makes the injection at the entrypoint - its stupid, but what can i say even for experienced reverse-engineer it is very hard to find the injected code (of course if the injected code is nicely written) inside a big applicaton. Who can expect that attacker is going to rebuild all the orginal file? Yes, times with adding trojans to the last sections ended for good, at least in 4514N. Btw. Here's the link for the EEYE's BINDIFFER report, runned against the original freecell application and the modified freecell application (2 nops injected after every instruction). BDS Level 1/BDS Level 2: http://piotrbania.com/all/4514N/diff_report.txt Geez, i spent all this day answering mails :) best regards, pb P.S Like always sorry for my bad english. -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr () gmail com> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Some Propaganda. Piotr Bania (Nov 14)
- Re: Some Propaganda. Arun Koshy (Nov 14)
- Re: Some Propaganda. Joanna Rutkowska (Nov 15)
- Re: Some Propaganda. Halvar Flake (Nov 15)
- Re: Some Propaganda. dan (Nov 15)
- I love PKI :) (was Some Propaganda.) Joanna Rutkowska (Nov 16)
- Re: I love PKI :) (was Some Propaganda.) ergosum (Nov 17)
- Re: I love PKI :) (was Some Propaganda.) Danny Quist (Nov 19)
- <Possible follow-ups>
- Re: Some Propaganda. Piotr Bania (Nov 15)
- Re: Some Propaganda. Piotr Bania (Nov 15)
- Some Propaganda. Piotr Bania (Nov 15)
- Re: Some Propaganda. Marek Bialoglowy (Nov 16)